After diving into the code injected within BA’s website, Klijnsma found just 22 lines of JavaScript code were the ones to blame for the data stolen from British Airways’ 380,000 customers affected by the hack.

In past incidents, Magecart used the stolen information to perform card-not-present fraud and employ mules to reship goods to addresses in Eastern Europe.

Klijnsma said Magecart attackers customized the skimming script to make it less obvious and set up an infrastructure that would blend in with normal payment processing to avoid detection: The grabbed information was sent to a domain named baways.com and the attackers loaded the server with an SSL certificate.

“What is interesting to note from the certificate the Magecart actors used is that it was issued on August 15th, which indicates they likely had access to the British Airways site before the reported start date of the attack on August 21st—possibly long before. Without visibility into its Internet-facing web assets, British Airways were not able to detect this compromise before it was too late,” Klijnsma said in a post.

“The attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

And since the BA mobile application loads content from the website, the skimming script worked to steal the info provided by mobile users.

“One thing to note is that the magecart actor(s) put in the touchend callback in the skimmer to make it work for mobile visitors as well, which again shows us the high level of planning and attention to detail displayed in this simple yet extremely effective attack,” Klijnsma said.